CVE Catalog

CVE-2026-21724

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile - higher than 15% of all known CVEs

Summary

A vulnerability has been discovered in Grafana OSS that allows an authorization bypass in the provisioning contact points API. Users with Editor role can modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Risk Assessment

Organizations may be exposed to unauthorized changes in webhook configurations, potentially leading to data leaks or unauthorized access to systems.

Recommendation

It is recommended to restrict access to the provisioning contact points API and review user roles to ensure that only authorized personnel can modify protected webhook URLs.

Original NVD description (English source)

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS